\subsection{Introduction}
\begin{frame}
    \frametitle{Instructors}
    \begin{block}{Pedram Amini}
        \begin{itemize}
            \item Manages the TippingPoint DVLabs Security Research Team
                \pedbullet{http://dvlabs.tippingpoint.com}
            \item Wrote PaiMei RE framework and Sulley fuzzing framework
            \item Founded OpenRCE.org
            \item Authored "Fuzzing: Brute Force Vulnerability Discovery"
        \end{itemize}
    \end{block}
    \begin{block}{Ero Carrera}
        \begin{itemize}
            \item Employed by Zynamics GmbH and Chief Research Officer at VirusTotal
            \item Reverse engineering, malware analysis and automation research
            \item Developer of \emph{pefile}, \emph{pydot}, \emph{pydasm}, \emph{ida2sql} and \emph{Pythonika}
        \end{itemize}
    \end{block}
\end{frame}

\begin{frame}
    \frametitle{What is Reverse Engineering?}
    \begin{definition}
        As it applies to software, reverse engineering is the process of unraveling the inner workings of a given system in the absence of source code.
    \end{definition}

    \begin{itemize}
        \item Also known as \alert{RE} or \alert{RCE}
        \item As simple as monitoring behavior from a high level
        \item As complex as reviewing individual instructions within an application
        \item Example questions reverse engineers seek to answer:
            \begin{itemize}
                \item What \alert{exactly} does this software do?
                \item Which lines of code are responsible for handling user input?
                \item How long can this parameter be before I corrupt the targets memory?
            \end{itemize}
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Who Hires Reverse Engineers?}
    \begin{itemize}
        \item Computer security firms, for discovering new software vulnerabilities
        \item AV companies, for analyzing new viruses and worms
        \item IPS vendors, for patch analysis
        \item Tuning shops, for dissecting ECUs
        \item Competitors, for unveiling your secret sauce
        \item Data recovery shops, for rebuilding specifications when source code is lost
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Questions for the Class}
    \begin{itemize}
        \item Who has past experience with IDA / disassembling?
        \item Who has past experience with OllyDbg / debugging?
        \item Who has past experience with Python?
        \item Who is a member of OpenRCE?
        \item Who has taken BH training before?
        \item Any professional reversers in the class?
    \end{itemize}
    \begin{block}{Introductions}
    Please introduce yourselves the first time you interact with one of us or the class. Name, country, company, favorite color, etc...
    \end{block}
\end{frame}

\begin{frame}
    \frametitle{Course Objectives}
    \begin{itemize}
        \item Learn the key concepts of Portable Executable files
        \item Create a functional and customized RCE environment
        \item Familiarize with industry standard tools and practices
        \item Gain real-world, hands on experience
        \item Wield the power of RCE to deal with common trickery
        \item Understand and subvert executable protections
        \item Apply cutting edge technologies to save analysis time
        \item Learn how to do all of the above quickly
            \pedbullet{You will be forced to put your mouse to rest ;-)}
        \item The class focus is on malware analysis, which is a vast field
            \pedbullet{We've selected subjects that we feel have real-world application}
    \end{itemize}
\end{frame}


\subsection{Malware Analysis}
\begin{frame}
    \frametitle{What is Malware Analysis?}
    \begin{definition}
        \emph{Malware Analysis} is the study of unknown code to discover it's purpose and functionality.
    \end{definition}
    \begin{itemize}
        \item Main goal
            \pedbullet{Glean relevant information in a timely manner}
            \pedbullet{Can not stress this point enough}
        \item Unfolding of a story
            \pedbullet{Each analysis technique may add another chapter to the story}
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Malware Classifications}
    \begin{itemize}
        \item Virus
            \pedbullet{Software which infects other applications and uses them as a spreading medium}
        \item Trojan
            \pedbullet{A malicious application which presents itself as something else}
        \item Worm
            \pedbullet{Code with the ability to spread from computer to computer by means of different network protocols}
        \item Spyware
            \pedbullet{Applications aiming to harvest personal information}
        \item Rootkit
            \pedbullet{Hidden tool/s providing stealth services to its writer}
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Malware Components}
    \begin{itemize}
        \item Infection
            \pedbullet{Exploit}
            \pedbullet{Social engineering}
        \item Payload
            \pedbullet{Destruction}
            \pedbullet{Theft}
            \pedbullet{Stealth}
            \pedbullet{Agent}
        \item Propagation
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{A Look at Propagation}
    \begin{itemize}
        \item Low level attack vectors
            \pedbullet{Stack overflows}
            \pedbullet{Heap overflows}
            \pedbullet{Format string vulnerabilities}
        \item Higher level attack vectors
            \pedbullet{Browser exploitation}
        \item Highest level attack vectors
            \pedbullet{Social engineering}
            \pedbullet{Mass e-mails}
    \end{itemize}
\end{frame}


\subsection{Questions to Consider}
\begin{frame}
    \frametitle{How is it Spreading?}
    \begin{itemize}
        \item If over IP, how fast?
        \item Is the prand() biased?
        \item Does it contain a mass mailer?
        \item Does it spread over network shares?
        \item Does it spread over P2P or other file transfer mediums?
        \item Does it spread over an exploit?
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Does it Contain a Backdoor?}
    \begin{itemize}
        \item Does it connect to an IRC server?
        \item Does it bind to any ports?
        \item Does it retrieve data from the web?
        \item Does it retrieve data from news groups?
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{What Modifications Are Made?}
    \begin{itemize}
        \item Does it create/modify/edit/delete any registry keys?
        \item Does it create/modify/edit/delete any files?
        \item Does it modify any running processes?
        \item Does it modify itself?
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Why Was it Written?}
    \begin{itemize}
        \item Depending on your goal this question could be the most important of all
        \item Targeted attack?
        \item Information theft?
        \item DDoS network?
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{Who Wrote it?}
    \begin{itemize}
        \item What compiler was used?
        \item What date was it created on?
        \item What stylistic characteristics stand out?
    \end{itemize}
\end{frame}

\begin{frame}
    \frametitle{The Logical Three}
    \begin{itemize}
        \item We classify code into one of three logical categories:
        \item Constant code
            \begin{itemize}
                \item Code that is continuously running during execution
                \item Ex: IP Scanning loops, e-mail harvesting loops
            \end{itemize}
        \item Reactive code
            \begin{itemize}
                \item Code that is executed in reaction to an event
                \item Ex: An exploitable system was discovered
            \end{itemize}
        \item Dormant code
            \begin{itemize}
                \item Code that is designed to execute at a certain date
                \item Ex: coordinated DDoS attack
            \end{itemize}
    \end{itemize}
\end{frame}
